Change password schema and post-login script

Sat Oct 22 23:57:32 UTC 2022

On 2022-10-22 18:00, Christos Chatzaras wrote:
> Hello,
> 
> 
> Question #1:
> 
> For version 2.3.19.1 these commands use BLF-CRYPT, right?
> 
> doveadm pw
> doveadm pw -s CRYPT
> 
> 
> Question #2:
> 
> I want to change password schema for current users.
> 
> For users using POP3 or IMAP I can do it using a post-login script.
> 
> I have some accounts used only to send e-mails using Postfix, so no 
> POP3/IMAP logins for these accounts.
> 
> Is any way to change password schema for these accounts?
> 
> 
> My config:
> 
> # 2.3.19.1 (9b53102964): /usr/local/etc/dovecot/dovecot.conf
> # Pigeonhole version 0.5.19 (4eae2f79)
> # OS: FreeBSD 13.1-RELEASE-p2 amd64  zfs
> # Hostname: server2.example.com
> auth_master_user_separator = *
> auth_mechanisms = plain login
> auth_verbose = yes
> default_process_limit = 225
> disable_plaintext_auth = no
> first_valid_gid = 0
> first_valid_uid = 1001
> mail_location = 
> maildir:/home/mail/%d/%n:INDEX=/tmpfs/dovecot_%u:CONTROL=/var/mail/%d/%n
> mail_privileged_group = mail
> managesieve_notify_capability = mailto
> managesieve_sieve_capability = fileinto reject envelope 
> encoded-character vacation subaddress comparator-i;ascii-numeric 
> relational regex imap4flags copy include variables body enotify 
> environment mailbox date index ihave duplicate mime foreverypart 
> extracttext imapsieve vnd.dovecot.imapsieve
> namespace inbox {
>   inbox = yes
>   location =
>   mailbox Drafts {
>     auto = subscribe
>     special_use = \Drafts
>   }
>   mailbox Junk {
>     auto = subscribe
>     special_use = \Junk
>   }
>   mailbox Sent {
>     auto = subscribe
>     special_use = \Sent
>   }
>   mailbox "Sent Messages" {
>     auto = no
>     special_use = \Sent
>   }
>   mailbox Trash {
>     auto = subscribe
>     special_use = \Trash
>   }
>   prefix =
> }
> passdb {
>   args = /usr/local/etc/dovecot/passwd.master
>   driver = passwd-file
>   master = yes
>   result_success = continue
> }
> passdb {
>   args = /usr/local/etc/dovecot/passwd.suspended
>   deny = yes
>   driver = passwd-file
> }
> passdb {
>   args = /usr/local/etc/dovecot/passwd
>   driver = passwd-file
> }
> plugin {
>   imapsieve_mailbox1_before = 
> file:/usr/local/lib/dovecot/sieve/report-spam.sieve
>   imapsieve_mailbox1_causes = COPY
>   imapsieve_mailbox1_name = Junk
>   imapsieve_mailbox2_before = 
> file:/usr/local/lib/dovecot/sieve/report-ham.sieve
>   imapsieve_mailbox2_causes = COPY
>   imapsieve_mailbox2_from = Junk
>   imapsieve_mailbox2_name = *
>   quota = maildir:User quota
>   quota_max_mail_size = 100M
>   quota_rule = *:storage=2048M
>   quota_status_nouser = DUNNO
>   quota_status_overquota = 552 5.2.2 Mailbox is full
>   quota_status_success = DUNNO
>   quota_warning = storage=80%% quota-warning 80 %u
>   sieve = file:~/sieve;active=~/sieve.active
>   sieve_before = /usr/local/lib/dovecot/sieve/antispam.sieve
>   sieve_global_extensions = +vnd.dovecot.pipe
>   sieve_pipe_bin_dir = /usr/local/lib/dovecot/sieve
>   sieve_plugins = sieve_imapsieve sieve_extprograms
> }
> protocols = imap pop3 lmtp sieve
> service auth {
>   client_limit = 1125
>   unix_listener auth-client {
>     group = postfix
>     mode = 0660
>     user = postfix
>   }
> }
> service lmtp {
>   unix_listener /var/spool/postfix/private/dovecot-lmtp {
>     group = postfix
>     mode = 0600
>     user = postfix
>   }
> }
> service managesieve-login {
>   inet_listener sieve {
>     address = 127.0.0.1
>     port = 4190
>   }
> }
> service quota-status {
>   client_limit = 1
>   executable = quota-status -p postfix
>   inet_listener {
>     port = 12340
>   }
> }
> service quota-warning {
>   executable = script /root/cretapanel/quota-warning.sh
>   unix_listener quota-warning {
>     mode = 0666
>     user = dovecot
>   }
> }
> ssl_cert = </etc/ssl/certs/mail.pem
> ssl_dh = # hidden, use -P to show it
> ssl_key = # hidden, use -P to show it
> ssl_min_protocol = TLSv1.2
> userdb {
>   args = /usr/local/etc/dovecot/passwd
>   driver = passwd-file
> }
> verbose_proctitle = yes
> protocol imap {
>   imap_client_workarounds = delay-newmail tb-extra-mailbox-sep
>   mail_max_userip_connections = 20
>   mail_plugins = quota imap_quota imap_sieve imap_zlib
> }
> protocol pop3 {
>   mail_plugins = quota
>   pop3_client_workarounds = outlook-no-nuls oe-ns-eoh
>   pop3_uidl_format = %08Xu%08Xv
> }
> protocol lda {
>   postmaster_address = postmaster at example.com
>   sendmail_path = /usr/sbin/sendmail
> }
> protocol lmtp {
>   mail_plugins = quota sieve
>   postmaster_address = postmaster at example.com
> }

Hi there,

If I understood you correctly, yes you can. There is auth fallback in 
dovecot and you can specify it for user as well as auth queries, e.g. to 
full accounts including sending, you can query from the main auth and 
user source and remove sender only entries in such source and add in the 
fallback source with a tweak, thats setting a different password schema.

Refer to for more info:-
https://doc.dovecot.org/configuration_manual/authentication/multiple_authentication_databases/

Also, notice that it doesnt have to be database fallback, you can set 
file based one, refer to:-
https://doc.dovecot.org/configuration_manual/authentication/passwd_file/

Good luck.

Zakaria.